Fraud and financial crimes: Regulatory challenges

Maintaining focus: Fraud and financial crimes

Reduce synthetic identity fraud by integrating automation and analytics into your client onboarding and maintenance processes. 

Synthetic identity fraud (SIF) is among the fastest growing financial crimes in the United States. In contrast with traditional identity theft, SIF uses a combination of real and fabricated information to create a new identity and build a credit file over time – which makes it difficult to flag as suspicious using conventional fraud detection models.

Ways to mitigate SIF risks: 

• Voluntary use of the SIF definition (as introduced by the FRB - “the use of a combination of personally identifiable information (PII) to fabricate a person or entity in order to commit a dishonest act for personal or financial gain”).
• Application of a multi-layered approach including manual and technological data analysis.
• Use of additional data sources beyond basic PII (name, date of birth, SSN, address).
• Implementation of robust link analysis processes to look across banking instruments (e.g., lending and checking accounts) or across banking entities. 

Legislative and regulatory issues that can help or hurt identification of SIFs include roll-out of the Social Security Administration’s (SSA) electronic Consent Based SSN Verification service; SSA’s rule for randomized SSNs; FTC’s simplified dispute process for identity theft; the FCRA dispute process; and restrictions under certain state data privacy rules.

Increase your defenses against account takeover and social engineering for real time payments through the eradication of out-of-date authentication technologies.  

Real-time and faster payments shorten financial transaction clearing times, raising the potential for security and fraud risks and reinforcing the need for updated and agile security and fraud detection programs, including authentication and access protocols. Frauds to watch for might include online fraud (e.g., malware, phishing attempts), first-party fraud (e.g., SIFs), and false claims.

• The U.S. payments industry continues to drive towards providing faster, cheaper, and more transparent payment services; the FRB now projects its real-time payment service will be available in 2023 following a pilot run during 2021.
• Balancing the volume and speed of faster processes with customer data privacy and security continues to be a challenge; compliance processes related to custody, know your customer, anti-money laundering, and fraud, often operate more slowly than the pace of payments. A shift to open banking may increase these risks.
• Digital native fintechs, Big Techs, and non-banks pose both competition and partnership opportunity to financial institutions. CFPB and FTC are each reviewing the impact of Big Tech networks and data collection through their payments systems.

Establish a mature insider risk program, that includes behavioral models and scenario analysis, to reduce the likelihood of employee conduct and financial crime risk (including reputational harm, espionage, embezzlement, market and price manipulation).

Insider threats reflect a combination of technology and human risks. In the digital environment, insider attacks can result in financial and intellectual property theft, damaged or destroyed assets, and firm-wide disruption to internal systems and customer operations. Prevention and detection, however, can be difficult because of insiders’ familiarity with, and trusted access to, firm systems; human input, analysis, and intelligence is needed to interpret technical data (e.g., from cybersecurity tools) and identify anomalous insider behavior. The scope of insiders will include directors, employees, contractors, and third parties. 

Key features of an insider risk management program should include: 

• A governance structure with board and senior management oversight; cross-organizational participation including IT, Legal, HR, Ethics & Compliance; recognition of legal and privacy requirements concerning monitoring and surveillance.
• A culture of compliance, with clearly conveyed behavioral expectations, consistently enforced consequences for violations, and ongoing communications covering evolving threats. 
• Training and awareness programs for all personnel, customized by access level, systems privilege rights, and job responsibilities, including related specific insider threat risks and challenges.
• Use of technical tools to monitor behavior combined with human input and analysis (e.g., context, correlate/aggregate risks) to interpret data and identify anomalous insider behavior. 

Regulatory expectations regarding the technical tools may be influenced by:

• FinCEN’s expanded technology resources and focus on innovation, including machine learning and enhanced data analytics, brought about by the AMLA. 
• FFIEC guidance outlining effective risk management principles and practices for access and authentication. 
• The impending government-wide shift to “zero-trust” security, which may set expectations for supervised firms.

Strengthen controls around evolving regulatory focal areas. 

FinCEN released government-wide AML/CFT priorities in June 2021 and include corruption; cybercrime (including cybersecurity and virtual currency considerations); terrorist financing; fraud (including SIF); transnational criminal organization activity; drug trafficking; human trafficking; and proliferation financing.

Regulators will expect financial institutions to:

• Incorporate the priorities into their risk-based AML compliance programs once final regulations have been issued and become effective (proposals anticipated in 2022). 
• Consider, in light of the priorities, risks associated with their products, services, customers, and geographic operations. 

Regulatory attentions are also turning to: 

• Ransomware demands via virtual currency. 
• Forthcoming regulations covering beneficial ownership information reporting.
• Suspicious activity reporting for environmental crimes. 
• ESG-factors such as human rights and workplace safety across third-party vendors. 
• Changes to policies to facilitate investigations and enforcement activity, including criminal enforcement guidelines, and related compulsory process demands. Areas highlighting compliance investment, consumer protections, fair competition, and individual and corporate accountability for compliance failures and misconduct (DOJ, FTC, CFPB).